App - System

Getting shell, but under a different user. I’ve used ROPGadget to generate rop

app-systeme-ch34@challenge03: $ (cat /tmp/kekcode -) | ./ch34
..skipped
whoami
app-systeme-ch34
cat .passwd
cat: .passwd: Permission denied

what am i doing wrong?

You need to be app-systeme-ch34-cracked to have read access to .passwd.
So you might want to complete the ROP chain (with the syscall) to set your effective user id right.
See https://en.wikipedia.org/wiki/User_identifier

The effective user id (euid) matches the real user id (ruid) (app-systeme-ch34) instead of being the executable owner’s user id ((app-systeme-ch34-cracked) (see https://en.wikipedia.org/wiki/User_identifier). That means the program dropped its privileged euid and you need to set it right back (it is an extra step in this ROP challenge, quite frustrating after managing everything else, but hey, at least you end up learning new stuff ;) )

Complete your ROP chain to fix that (google how to replicate seteuid() C function with an assembly syscall)

for these challenges, you need to use the dash shell in order for your shellcode to get the cracked user’s privileges.